Avoid using remember in pam_unix module
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
The remember option stores the last n passwords for each user in /etc/security/opasswd,
enforcing password history and preventing users from reusing the same passwords. However, this feature
relies on the MD5 password hash algorithm, which is less secure. Instead, the pam_pwhistory
module should be used. This module also stores the last n passwords in /etc/security/opasswd
and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
offering enhanced security.
On Debian-based systems, the remember option should be removed from the PAM configuration
in /etc/pam.d/common-* files.
Rationale
Removing the remember argument ensures the use of a stronger password hashing algorithm.
A more robust hash algorithm increases the difficulty for attackers to crack stored
passwords in /etc/security/opasswd, thereby improving system security and
protecting user credentials.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then
# Debian-based systems: Use pam-auth-update
conf_name=cac_unix
conf_path="/usr/share/pam-configs"
if [ ! -f "$conf_path"/"$conf_name" ]; then
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
sed -i 's/Priority: [0-9]\+/Priority: 257\
Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
fi
else
echo "Not applicable - $conf_path/unix does not exist" >&2
fi
fi
config_file="/usr/share/pam-configs/cac_unix"
sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
/pam_unix\.so/ {
s/\s*\bremember=\d+\b//g
}
}' "$config_file"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- accounts_password_pam_unix_no_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- name: Avoid using remember in pam_unix module - Remove remember option from pam_unix.so
ansible.builtin.replace:
dest: '{{ item }}'
regexp: (\s+pam_unix\.so.*)\s+remember=\d+\b(.*)
replace: \1\2
loop:
- /etc/pam.d/common-password
- /etc/pam.d/common-auth
- /etc/pam.d/common-account
- /etc/pam.d/common-session
- /etc/pam.d/common-session-noninteractive
when: '"libpam-runtime" in ansible_facts.packages'
tags:
- accounts_password_pam_unix_no_remember
- configure_strategy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
Warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
